GHSA-hc5w-gxxr-w8x8: Sliver Allows Authenticated Operator-to-Server Remote Code Execution

July 18, 2024

Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged “operator” user. The RCE is as the system root user.

References

github.com/BishopFox/sliver
github.com/BishopFox/sliver/commit/0deaee625d14c6f05f63c86e5c3b7ae623a1138f
github.com/BishopFox/sliver/pull/1281
github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8
github.com/advisories/GHSA-hc5w-gxxr-w8x8

Code Behaviors & Features

Detect and mitigate GHSA-hc5w-gxxr-w8x8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →